US12093433B2ActiveUtilityPatentIndex 59
Processor with network stack domain and system domain using separate memory regions
Assignee: MICROSOFT TECHNOLOGY LICENSING LLCPriority: Aug 19, 2019Filed: Mar 13, 2023Granted: Sep 17, 2024
Est. expiryAug 19, 2039(~13.1 yrs left)· nominal 20-yr term from priority
H04L 63/102H04L 63/08G06F 2221/2149G06F 2221/033G06F 21/44G06F 9/541G06F 9/445G06F 8/65H04L 67/12H04W 4/70G06F 21/55H04W 12/12H04L 63/14G06F 21/53G06F 21/74G06F 21/57
59
PatentIndex Score
0
Cited by
30
References
20
Claims
Abstract
The disclosed technology is generally directed to network security for processors. In one example of the technology, a computing device includes: a processor, a memory, and a network interface. The computing device executes a first binary within a first region of the memory, executes a separate second binary within a second region of the memory, and prevents the second binary from accessing the first region of the memory. The first binary implements a kernel configured to control the network interface, while the separate second binary implements a network stack that is restricted to communicate only with an identified set of trusted servers.
Claims
exact text as granted — not AI-modifiedWe claim:
1. A method, implemented at a computing device that includes a processor, a memory, and a network interface, comprising:
executing a first binary within a first region of the memory, the first binary implementing,
a kernel configured to control the network interface, and
a first set of networking functions defined by open system interconnect (OSI) layer 1 and OSI layer 2;
executing a second binary within a second region of the memory, the second binary being separate from the first binary and implementing,
a network stack that is restricted to communicate only with an identified set of trusted servers, and
a second set of networking functions defined by OSI layer 3, OSI layer 4, OSI layer 5, OSI layer 6, and OSI layer 7; and
preventing the second binary from accessing the first region of the memory.
2. The method of claim 1 , wherein:
the set of trusted servers is identified based on certificate; and
the network stack identifies a trusted server using a certificate-based authenticating protocol.
3. The method of claim 1 , wherein one of a memory management unit (MMU) or a memory protection unit (MPU) protects the first region of the memory from the second region of the memory.
4. The method of claim 1 , wherein executing the second binary within the second region of the memory includes one or more of:
granting execution permissions to the second region of the memory; or
locating the second binary into the memory, updating a memory page permission, and relocating the second binary to a base address within the second region of the memory.
5. The method of claim 1 , wherein the first binary and the second binary communicate only through a defined interface.
6. The method of claim 5 , wherein the defined interface comprises an OSI layer 2 interface, an OSI layer 3 interface, and an OSI layer 7 interface.
7. The method of claim 1 , wherein the kernel includes a real-time operating system (RTOS).
8. The method of claim 1 , wherein the computing device is an Internet of Things (IoT) device.
9. The method of claim 1 , wherein the computing device is a microcontroller (MCU).
10. The method of claim 1 , further comprising updating the second binary independently from the first binary.
11. A computing device, comprising:
a processor;
a memory;
a network interface; and
a processor-readable medium storing processor-readable instructions that are executable by the processor to at least:
execute a first binary within a first region of the memory, the first binary implementing,
a kernel configured to control the network interface, and
a first set of networking functions defined by open system interconnect (OSI) layer 1 and OSI layer 2;
execute a second binary within a second region of the memory, the second binary being separate from the first binary and implementing,
a network stack that is restricted to communicate only with an identified set of trusted servers, and
a second set of networking functions defined by OSI layer 3, OSI layer 4, OSI layer 5, OSI layer 6, and OSI layer 7;
prevent the second binary from accessing the first region of the memory; and
permit the first binary and the second binary to communicate only through a defined interface.
12. The computing device of claim 11 , wherein the defined interface comprises an OSI layer 2 interface, an OSI layer 3 interface, and an OSI layer 7 interface.
13. The computing device of claim 11 , wherein:
the set of trusted servers is identified based on certificate; and
the network stack identifies a trusted server using a certificate-based authenticating protocol.
14. The computing device of claim 11 , wherein one of a memory management unit (MMU) or a memory protection unit (MPU) protects the first region of the memory from the second region of the memory.
15. The computing device of claim 11 , wherein the kernel includes a real-time operating system (RTOS).
16. The computing device of claim 11 , wherein the computing device is a microcontroller (MCU).
17. The computing device of claim 11 , instructions that are executable by the processor to update the second binary independently from the first binary.
18. A processor-readable storage medium storing processor-readable instructions that are executable by a processor to cause a computing device to at least:
execute a first binary within a first region of a memory, the first binary implementing,
a kernel configured to control a network interface, and
a first set of networking functions defined by open system interconnect (OSI) layer 1 and OSI layer 2;
execute a second binary within a second region of the memory, the second binary being separate from the first binary and implementing,
a network stack that is restricted to communicate only with a set of trusted servers identified based on certificate, and
a second set of networking functions defined by OSI layer 3, OSI layer 4, OSI layer 5, OSI layer 6, and OSI layer 7; and
prevent the second binary from accessing the first region of the memory.
19. The processor-readable storage medium of claim 18 , wherein:
the set of trusted servers is identified based on certificate; and
the network stack identifies a trusted server using a certificate-based authenticating protocol.
20. The processor-readable storage medium of claim 18 , wherein one of a memory management unit (MMU) or a memory protection unit (MPU) protects the first region of the memory from the second region of the memory.Cited by (0)
No later patents cite this yet.
References (0)
No backward citations on record.